Empty AD Group

While having an empty group may not always be "bad practice," its appropriateness depends on the specific use case and organizational requirements. Nevertheless, there are potential considerations and reasons to exercise caution or avoid empty groups:

1. Confusion: Teams may find it time-consuming to discern the purpose of an empty group.
2. Security implications: Depending on its purpose, the group can apply forgotten permissions to users without proper supervision at any time.
3. Policy compliance: The group may flag issues during compliance audits.
4. Unused resources: Cleaning up this type of resource is essential to save management time.

Specific scenarios may justify the existence of empty groups, such as placeholders for future use or within a broader role-based access control (RBAC) strategy.

This indicator ignores AD built-in groups (RID < 1000, or name = "DnsAdmins" / "DnsUpdateProxy") because keeping most of them empty is considered a good practice. You can also ignore other technical groups pre-created by applications in your IT environment.

To reduce confusion, security implications, policy compliance, and unused resources, empty groups must be either:

• Used for at least two members.
• Deleted

Name: Empty AD Group

Codename: EMPTY-GROUP-AD

Severity: Low

Type: Active Directory Indicator of Exposure